SAP · jliempt · Sep 11, 2024 · Aug 12, 2024 · Aug 19, 2024 · Aug 21, 2024
@@ -41,6 +41,7 @@ type GeneralConfigOptions struct {
  VaultServerURL string
  VaultNamespace string
  VaultPath string
+ TrustEngineToken string
  HookConfig HookConfiguration
  MetaDataResolver func() map[string]config.StepData
  GCPJsonKeyFilePath string
@@ -51,10 +52,11 @@ type GeneralConfigOptions struct {
 
 // HookConfiguration contains the configuration for supported hooks, so far Sentry and Splunk are supported.
 type HookConfiguration struct {
- SentryConfig SentryConfiguration `json:"sentry,omitempty"`
- SplunkConfig SplunkConfiguration `json:"splunk,omitempty"`
- PendoConfig PendoConfiguration `json:"pendo,omitempty"`
- OIDCConfig OIDCConfiguration `json:"oidc,omitempty"`
+ SentryConfig SentryConfiguration `json:"sentry,omitempty"`
+ SplunkConfig SplunkConfiguration `json:"splunk,omitempty"`
+ PendoConfig PendoConfiguration `json:"pendo,omitempty"`
+ OIDCConfig OIDCConfiguration `json:"oidc,omitempty"`
+ TrustEngineConfig TrustEngineConfiguration `json:"trustEngine,omitempty"`
 }
 
 // SentryConfiguration defines the configuration options for the Sentry logging system
@@ -82,6 +84,10 @@ type OIDCConfiguration struct {
  RoleID string `json:",roleID,omitempty"`
 }
 
+type TrustEngineConfiguration struct {
+ ServerURL string `json:",baseURL,omitempty"`
+}
+
 var rootCmd = &cobra.Command{
  Use: "piper",
  Short: "Executes CI/CD steps from project 'Piper' ",

diff --git a/cmd/sonarExecuteScan_generated.go b/cmd/sonarExecuteScan_generated.go
@@ -11,6 +11,8 @@ import (
  "regexp"
  "strings"
 
+ "github.com/SAP/jenkins-library/pkg/trustengine"
+
  piperhttp "github.com/SAP/jenkins-library/pkg/http"
  "github.com/SAP/jenkins-library/pkg/log"
 
@@ -21,16 +23,17 @@ import (
 
 // Config defines the structure of the config files
 type Config struct {
- CustomDefaults []string `json:"customDefaults,omitempty"`
- General map[string]interface{} `json:"general"`
- Stages map[string]map[string]interface{} `json:"stages"`
- Steps map[string]map[string]interface{} `json:"steps"`
- Hooks map[string]interface{} `json:"hooks,omitempty"`
- defaults PipelineDefaults
- initialized bool
- accessTokens map[string]string
- openFile func(s string, t map[string]string) (io.ReadCloser, error)
- vaultCredentials VaultCredentials
+ CustomDefaults []string `json:"customDefaults,omitempty"`
+ General map[string]interface{} `json:"general"`
+ Stages map[string]map[string]interface{} `json:"stages"`
+ Steps map[string]map[string]interface{} `json:"steps"`
+ Hooks map[string]interface{} `json:"hooks,omitempty"`
+ defaults PipelineDefaults
+ initialized bool
+ accessTokens map[string]string
+ openFile func(s string, t map[string]string) (io.ReadCloser, error)
+ vaultCredentials VaultCredentials
+ trustEngineConfiguration trustengine.Configuration
 }
 
 // StepConfig defines the structure for merged step configuration
@@ -270,6 +273,14 @@ func (c *Config) GetStepConfig(flagValues map[string]interface{}, paramJSON stri
  }
  }
 
+ err = c.SetTrustEngineConfiguration(stepConfig.HookConfig)
+ if err != nil {
+ trustengineClient := trustengine.PrepareClient(c.trustEngineConfiguration)
+ ResolveAllTrustEngineReferences(&stepConfig, append(parameters, ReportingParameters.Parameters...), c.trustEngineConfiguration, trustengineClient)
+ } else {
+ log.Entry().WithError(err).Warn("Trust Engine lookup skipped")
+ }
+
  // finally do the condition evaluation post processing
  for _, p := range parameters {
  if len(p.Conditions) > 0 {

@@ -0,0 +1,51 @@
+package config
+
+import (
+ "errors"
+ "os"
+
+ piperhttp "github.com/SAP/jenkins-library/pkg/http"
+ "github.com/SAP/jenkins-library/pkg/log"
+ "github.com/SAP/jenkins-library/pkg/trustengine"
+)
+
+// ResolveAllTrustEngineReferences retrieves all the step's secrets from the trust engine
+func ResolveAllTrustEngineReferences(config *StepConfig, params []StepParameters, trustEngineConfiguration trustengine.Configuration, client *piperhttp.Client) {
+ for _, param := range params {
+ if ref := param.GetReference("trustengineSecret"); ref != nil {
+ if config.Config[param.Name] == "" { // what if Jenkins set the secret?
+ log.Entry().Infof("Getting %s from Trust Engine", ref.Name)
+ token, err := trustengine.GetToken(ref.Name, client, trustEngineConfiguration)
+ if err != nil {
+ log.Entry().Info(" failed")
+ log.Entry().WithError(err).Warnf("Couldn't get %s secret from Trust Engine", param.Name)
+ continue
+ }
+ log.RegisterSecret(token)
+ config.Config[param.Name] = token
+ log.Entry().Info(" succeeded")
+ }
+ }
+ }
+}
+
+// SetTrustEngineConfiguration sets the server URL and token
+func (c *Config) SetTrustEngineConfiguration(hookConfig map[string]interface{}) error {
+ c.trustEngineConfiguration = trustengine.Configuration{}
+ c.trustEngineConfiguration.Token = os.Getenv("PIPER_TRUST_ENGINE_TOKEN")
+ if len(c.trustEngineConfiguration.Token) == 0 {
+ log.Entry().Warn("No Trust Engine token environment variable set or is empty string")
+ }
+
+ trustEngineHook, ok := hookConfig["trustengine"].(map[string]interface{})
+ if !ok {
+ return errors.New("no trust engine hook configuration found")
+ }
+ serverURL, ok := trustEngineHook["serverURL"].(string)
+ if ok {
+ c.trustEngineConfiguration.ServerURL = serverURL
+ } else {
+ return errors.New("no server URL found in trust engine hook configuration")
+ }
+ return nil
+}
@@ -0,0 +1,66 @@
+package config
+
+import (
+ "fmt"
+ piperhttp "github.com/SAP/jenkins-library/pkg/http"
+ "github.com/SAP/jenkins-library/pkg/trustengine"
+ "github.com/jarcoal/httpmock"
+ "net/http"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+const secretName = "token"
+const secretNameInTrustEngine = "sonar"
+const testBaseURL = "https://www.project-piper.io/tokens"
+const mockSonarToken = "mockSonarToken"
+
+var mockSingleTokenResponse = fmt.Sprintf("{\"sonar\": \"%s\"}", mockSonarToken)
+
+func TestTrustEngineConfig(t *testing.T) {
+ httpmock.Activate()
+ defer httpmock.DeactivateAndReset()
+ httpmock.RegisterResponder(http.MethodGet, testBaseURL+"?systems=sonar", httpmock.NewStringResponder(200, mockSingleTokenResponse))
+
+ stepParams := []StepParameters{stepParam(secretName, "trustengineSecret", secretNameInTrustEngine, secretName)}
+
+ trustEngineConfiguration := trustengine.Configuration{
+ Token: "mockToken",
+ ServerURL: testBaseURL,
+ }
+ client := &piperhttp.Client{}
+ client.SetOptions(piperhttp.ClientOptions{MaxRetries: -1, UseDefaultTransport: true})
+
+ t.Run("Load secret from Trust Engine - secret not set yet by Vault or config.yml", func(t *testing.T) {
+ stepConfig := &StepConfig{Config: map[string]interface{}{
+ secretName: "",
+ }}
+
+ ResolveAllTrustEngineReferences(stepConfig, stepParams, trustEngineConfiguration, client)
+ assert.Equal(t, mockSonarToken, stepConfig.Config[secretName])
+ })
+
+ t.Run("Load secret from Trust Engine - secret already by Vault or config.yml", func(t *testing.T) {
+ stepConfig := &StepConfig{Config: map[string]interface{}{
+ secretName: "aMockTokenFromVault",
+ }}
+
+ ResolveAllTrustEngineReferences(stepConfig, stepParams, trustEngineConfiguration, client)
+ assert.NotEqual(t, mockSonarToken, stepConfig.Config[secretName])
+ })
+}
+
+func stepParam(name, refType, vaultSecretNameProperty, defaultSecretNameName string) StepParameters {
+ return StepParameters{
+ Name: name,
+ Aliases: []Alias{},
+ ResourceRef: []ResourceReference{
+ {
+ Type: refType,
+ Name: vaultSecretNameProperty,
+ Default: defaultSecretNameName,
+ },
+ },
+ }
+}
@@ -0,0 +1,96 @@
+package trustengine
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io"
+ "net/http"
+ "strings"
+
+ piperhttp "github.com/SAP/jenkins-library/pkg/http"
+ "github.com/SAP/jenkins-library/pkg/log"
+)
+
+type Secret struct {
+ Token string
+ System string
+}
+
+type Response struct {
+ Secrets []Secret
+}
+
+type Configuration struct {
+ ServerURL string
+ Token string
+}
+
+// GetToken requests a single token
+func GetToken(refName string, client *piperhttp.Client, trustEngineConfiguration Configuration) (string, error) {
+ secrets, err := GetSecrets([]string{refName}, client, trustEngineConfiguration)
+ if err != nil {
+ return "", errors.Join(err, errors.New("couldn't get token from trust engine"))
+ }
+ for _, s := range secrets {
+ if s.System == refName {
+ return s.Token, nil
+ }
+ }
+ return "", errors.New("could not find token in trust engine response")
+}
+
+// GetSecrets transforms the trust engine JSON response into trust engine secrets, and can be used to request multiple tokens
+func GetSecrets(refNames []string, client *piperhttp.Client, trustEngineConfiguration Configuration) ([]Secret, error) {
+ var secrets []Secret
+ response, err := GetResponse(refNames, client, trustEngineConfiguration)
+ if err != nil {
+ return secrets, errors.Join(err, errors.New("getting secrets from trust engine failed"))
+ }
+ for k, v := range response {
+ secrets = append(secrets, Secret{
+ System: k,
+ Token: v})
+ }
+
+ return secrets, nil
+}
+
+// GetResponse returns a map of the JSON response that the trust engine puts out
+func GetResponse(refNames []string, client *piperhttp.Client, trustEngineConfiguration Configuration) (map[string]string, error) {
+ var secrets map[string]string
+ query := fmt.Sprintf("?systems=%s", strings.Join(refNames, ","))
+ fullURL := trustEngineConfiguration.ServerURL + query
+
+ header := make(http.Header)
+ header.Add("Accept", "application/json")
+
+ log.Entry().Debugf("with URL %s", fullURL)
+ response, err := client.SendRequest(http.MethodGet, fullURL, nil, header, nil)
+ if err != nil && response != nil {
+ // the body contains full error message which we want to log
+ bodyBytes, bodyErr := io.ReadAll(response.Body)
+ if bodyErr == nil {
+ err = errors.Join(err, errors.New(string(bodyBytes)))
+ }
+ }
+ if err != nil {
+ return secrets, errors.Join(err, errors.New("getting response from trust engine failed"))
+ }
+ defer response.Body.Close()
+
+ err = json.NewDecoder(response.Body).Decode(&secrets)
+ if err != nil {
+ return secrets, errors.Join(err, errors.New("getting response from trust engine failed"))
+ }
+
+ return secrets, nil
+}
+
+func PrepareClient(trustEngineConfiguration Configuration) *piperhttp.Client {
+ client := piperhttp.Client{}
+ client.SetOptions(piperhttp.ClientOptions{
+ Token: fmt.Sprintf("Bearer %s", trustEngineConfiguration.Token),
+ })
+ return &client
+}
@@ -0,0 +1,72 @@
+package trustengine
+
+import (
+ "fmt"
+ "github.com/jarcoal/httpmock"
+ "net/http"
+ "testing"
+
+ piperhttp "github.com/SAP/jenkins-library/pkg/http"
+ "github.com/stretchr/testify/assert"
+)
+
+const testBaseURL = "https://www.project-piper.io/tokens"
+const mockSonarToken = "mockSonarToken"
+const mockCumulusToken = "mockCumulusToken"
+const errorMsg403 = "unauthorized to request token"
+
+var mockSingleTokenResponse = fmt.Sprintf("{\"sonar\": \"%s\"}", mockSonarToken)
+var mockTwoTokensResponse = fmt.Sprintf("{\"sonar\": \"%s\", \"cumulus\": \"%s\"}", mockSonarToken, mockCumulusToken)
+var trustEngineConfiguration = Configuration{
+ Token: "testToken",
+ ServerURL: testBaseURL,
+}
+
+func TestTrustEngine(t *testing.T) {
+ httpmock.Activate()
+ defer httpmock.DeactivateAndReset()
+
+ t.Run("Get Sonar token - happy path", func(t *testing.T) {
+ httpmock.RegisterResponder(http.MethodGet, testBaseURL+"?systems=sonar", httpmock.NewStringResponder(200, mockSingleTokenResponse))
+
+ client := &piperhttp.Client{}
+ client.SetOptions(piperhttp.ClientOptions{MaxRetries: -1, UseDefaultTransport: true})
+
+ token, err := GetToken("sonar", client, trustEngineConfiguration)
+ assert.NoError(t, err)
+ assert.Equal(t, mockSonarToken, token)
+ })
+
+ t.Run("Get multiple tokens - happy path", func(t *testing.T) {
+ httpmock.RegisterResponder(http.MethodGet, testBaseURL+"?systems=sonar,cumulus", httpmock.NewStringResponder(200, mockTwoTokensResponse))
+
+ client := &piperhttp.Client{}
+ client.SetOptions(piperhttp.ClientOptions{MaxRetries: -1, UseDefaultTransport: true})
+
+ secrets, err := GetSecrets([]string{"sonar", "cumulus"}, client, trustEngineConfiguration)
+
+ assert.NoError(t, err)
+ assert.Len(t, secrets, 2)
+ for _, s := range secrets {
+ switch system := s.System; system {
+ case "sonar":
+ assert.Equal(t, mockSonarToken, s.Token)
+ case "cumulus":
+ assert.Equal(t, mockCumulusToken, s.Token)
+ default:
+ continue
+ }
+ }
+ })
+
+ t.Run("Get Sonar token - 403 error", func(t *testing.T) {
+ httpmock.RegisterResponder(http.MethodGet, testBaseURL+"?systems=sonar", httpmock.NewStringResponder(403, errorMsg403))
+
+ client := &piperhttp.Client{}
+ client.SetOptions(piperhttp.ClientOptions{MaxRetries: -1, UseDefaultTransport: true})
+
+ _, err := GetToken("sonar", client, trustEngineConfiguration)
+ assert.Error(t, err)
+ })
+
+}
diff --git a/resources/metadata/sonarExecuteScan.yaml b/resources/metadata/sonarExecuteScan.yaml
@@ -53,6 +53,8 @@ spec:
  default: sonar
  - name: sonarTokenCredentialsId
  type: secret
+ - name: sonar
+ type: trustengineSecret
  aliases:
  - name: sonarToken
  - name: organization